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Abstract. Bi-intuitionistic logic is the extension of intuitionistic logic 
with a connective dual to implication. Bi-intuitionistic logic was intro- 
duced by Rauszer as a Hilbert calculus with algebraic and Kripke se- 
mantics. But her subsequent "cut-free" sequent calculus for Bilnt has 
recently been shown by Uustalu to fail cut-elimination. We present a new 
cut-free sequent calculus for Bilnt, and prove it sound and complete with 
respect to its Kripke semantics. Ensuring completeness is complicated by 
the interaction between implication and its dual, similarly to future and 
past modalities in tense logic. Our calculus handles this interaction using 
extended sequents which pass information from premises to conclusions 
using variables instantiated at the leaves of failed derivation trees. Our 
simple termination argument allows our calculus to be used for auto- 
mated deduction, although this is not its main purpose. 



1 Introduction 

Propositional intuitionistic logic (int) has connectives — A, V and -i, with —up 
often defined as -up := ip — >J_. Int has a well-known Kripke semantics, where a 
possible world w makes <p — ► ip true if every successor v that makes ip true also 
makes ip true. Int also has an algebraic semantics in terms of Heyting algebras, 
and there is a well-known embedding from Int into the classical modal logic S4. 
Int is constructive in that it rejects the Law of Excluded Middle: that is, tpV-iip 
is not a theorem of Int. 

Propositional dual intuitionistic logic (Duallnt) has connectives — < , A, V 
and ~, with r*>tp often defined as := T —<tp. Duallnt also has Kripke seman- 
tics, where a possible world w makes (p— < ip true if there exists a predecessor 
v where <p holds, but ip does not hold: that is, tp excludes ip. Thus, the — < 
connective of Duallnt is dual to implication in Int. Duallnt also has algebraic 



National ICT Australia is funded by the Australian Government's Dept of Commu- 
nications, Information Technology and the Arts and the Australian Research Council 
through Backing Australia's Ability and the ICT Centre of Excellence program. 



semantics in terms of Brouwer algebras [13]. There is a less well-known embed- 
ding from Duallnt into S4. Duallnt is para-consistent in that it rejects the Law 
of Non-contradiction: that is, ipA ~<p is Duallnt-satisfiable. Various names have 
been used for : coimplication [24,23], subtraction [2,3], pseudo-difference 
[16], explication [15]. We refer to it as exclusion. 

Bi-intuitionistic logic (Bilnt), also known as subtractive logic and Heyting- 
Brouwer logic, is the union of Int and Duallnt, and it is a conservative exten- 
sion of both. Bilnt was first studied by Rauszer [15,16]. Bilnt is an interest- 
ing logic to study, since it combines the constructive aspects of Int with the 
para-consistency of Duallnt. While every Int-theorem is also a Bilnt-theorem, 
adding Duallnt connectives introduces a non-constructive aspect to the logic - 
the disjunction property does not hold for Bilnt formulae if they contain — < . 
Note that Bilnt differs from intuitionistic logic with constructive negation, also 
known as constructible falsity [14], where the disjunction property does hold. 

While the proof theory of Int and Duallnt separately has been studied ex- 
tensively and there are many cut-free sequent systems for Int (for example, [8, 
6,5]) and Duallnt (for example, [20,4]), the case for Bilnt is less satisfactory. 
Although Rauszer presented a sequent calculus for Bilnt in [15] and "proved" it 
cut-free, Uustalu has recently given a counter-example [21] to her cut-elimination 
theorem: the formula p — > (q V (r — > ((p— < q) A r)) is Bilnt-valid, but cannot 
be derived in Rauszer's calculus without the cut rule. Similarly, Uustalu's coun- 
terexample shows that Crolard's sequent calculus [2] for Bilnt is not cut-free. 
Uustalu's counterexample fails in both Rauszer's and Crolard's calculi because 
they limit certain sequent rules to singleton succedents or antecedents in the 
conclusion, and the rules do not capture the interaction between implication 
and exclusion. 

Uustalu and Pinto have also given a cut-free sequent-calculus for Bilnt in 
[23]. Since only the abstract of this work has been published so far, we have 
not been able to examine their sequent rules, or verify their proofs. According 
to the abstract [23] and personal communication with Uustalu [22] , his calculus 
uses labelled formulae, thereby utilising some semantic aspects, such as explicit 
worlds and accessibility, directly in the rules. Hence a traditional cut-free sequent 
calculus for Bilnt is still an open problem. 

We present a new purely syntactic cut-free sequent calculus for Bilnt. We 
avoid Rauszer's and Crolard's restrictions on the antecedents and succedents for 
certain rules by basing our rules on Dragalin's GHPC [5] which allows multiple 
formulae on both sides of sequents. To maintain intuitionistic soundness, we re- 
strict the premise of the implication-right rule to a singleton in the succedent. 
Dually, the premise of our exclusion-left rule is restricted to a singleton in the 
antecedent. But using Dragalin's calculus and its dual does not give us Bilnt 
completeness. We therefore follow Schwcndimann [17], and use sequents which 
pass relevant information from premises to conclusions using variables instan- 
tiated at the leaves of failed derivation trees. We then recompute parts of our 
derivation trees using the new information, similarly to the restart technique of 
[11]. Our calculus thus uses a purely syntactic addition to traditional sequents, 
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rather than resorting to a semantic mechanism such as labels. Our termination 
argument also relies on two new rules from Svejdar [18]. 

If we were interested only in decision procedures, we could obtain a decision 
procedure for Bilnt by embedding it into the tense logic Kt.S4 [24], and using 
tableaux for description logics with inverse roles [11]. However, an embedding 
into Kt.S4 provides no proof-theoretic insights into Bilnt itself. Moreover, the 
restart technique of Horrocks et al. [11] involves non-deterministic expansion of 
disjunctions, which is complicated by inverse roles. Their actual implementation 
avoids this non-determinism by keeping a global view of the whole counter-model 
under construction. In contrast, we handle this non-determinism by syntactically 
encoding it using variables and extended formulae, neither of which have a se- 
mantic content. Our purely syntactic approach is preferable for proof-theoretic 
reasons, since models are never explicitly involved in the proof system: see Re- 
mark 3. 

The rest of the paper is organized as follows. In Section 2, we define the syntax 
and semantics of Bilnt. In Section 3, we introduce our sequent calculus GBilnt 
and give an example derivation of Uustalu's interaction formula. We prove the 
soundness and completeness of GBilnt in Sections 4 and 5 respectively. In 
Section 6, we outline further work. 

2 Syntax and Semantics of Bilnt 

In this section we introduce the syntax and semantics of Bilnt. 
Definition 1 (Syntax). The formulae of Bilnt are defined as: 

p::=T | JL \ p \ Pl | ••• (2.1) 

ip ::= p \ ^ip \ <p A ip \ ipV <p \ ip ^> <p \ ip^ip \ |~<£ (2.2) 

We refer to the set of atoms as Atoms, and we refer to the set o/Bilnt formulae 
as Fml. 

The connectives -i and — ► are those of intuitionistic logic, and the connectives 
^and — < are those of dual intuitionistic logic. The connectives V and A are 
from both. 

Definition 2 (Length). The length of a Bilnt formula \ is defined as: 

{1 if x € Atoms 

len(p) + 1 if x e {-><p, ~<^} 

len(ip) + len(ip) + 1 if x <= W V ip, <p A ip, <P — > ip, <p-<^p}- 

We use the language of classical first-order logic when reasoning about Bilnt 
at the meta-level. 

Definition 3 (Frame). A Bilnt frame is a pair (W,1Z), where: 
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1. W is a non-empty set of worlds; 

2. 1Z C W x W is the binary accessibility relation; 

3. 1Z is reflexive, i.e., Vu G W.ulZu; 

4- 1Z is transitive, i.e., Vu,v,w G W.(ulZv k vTZw => ulZw). 
Definition 4 (Model). A Bilnt model is a triple M = (W,TZ, •&), where: 

1. (W,7Z) is a Bilnt frame; 

2. The truth valuation $ is a function W x Atoms — > {true, false} , which tells 
us the truth value of an atom at a world; 

3. The persistence property holds: 

Vu,w G W.Vp G Atoms. (-d{w,p) = true k wTZu) (i3(u,p) = true); 

4. Vw G W.ti(w, T) = true; 

5. Vw G W.'&lw, _L) = false. 

Definition 5 (Forcing of atoms). Given a model M = (W,1Z,$), a world 
w G W and an atomp G Atoms, we write w N p if-d(w,p) = true. We pronounce 
N as "forces", and we pronounce ¥ as "rejects". 

Definition 6 (Forcing of formulae). Given a model M. — (W,TZ,'d), a world 
w G W and formulae ip, ip G Fml, we write: 



w 


N ipWip 


if w N (p or w \= ip 




w 


N ip A ip 


if w 1= ip k w \= ip 




w 


N -up 


if Vu G W.[wKu 


(uPip)] 


w 


N ip — > ip 


if Vu G W.[wKu => 


(u¥ ip> or u N ip)] 


w 


\= ~ip 


if 3u G W.[u1Zw k 


u ¥ ip] 


w 


N ip~<tp 


if 3u G W.[u1Zw k 


kN ip k ip] 



From the semantics, it can be seen that the connectives -1 and ~ can be 
derived from — ► and — < respectively. Therefore from now on we restrict our 
attention to the connectives — — <, A, V only. 

Lemma 1. The persistence property also holds for formulae, that is: 

VM = (W,K,tf).Vu,w G W.Vip G Fml.(w N ip k wIZu ^u^ip). 

Proof. By induction on the length of <p>. 

Lemma 2. The reverse persistence property holds: 

VM = (W,ft,i?).Vu,u; &W.V(p e Fml.(wF (p k ulZw u ¥ ip) . 

Proof. Reverse persistence follows from persistence, because the truth valuation 
is binary. That is, suppose for a contradiction that 

3Ai = (W, 1Z, 1?), 3u, w G W3(p G Fml.{w ¥■ <p k ulZw k u 1= ip). 

Then u N ip and ulZw together with the persistence property give us w N ip, 
which contradicts ip. 
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We write e to mean the empty set. Given two sets of formulae A and T, we 
write A, T for A U T. Given a set of formulae A and a formula <p, we write A, <p 
for A U {if}. 

Definition 7. Given a model M = (W, 7?., i?), a worZd w 6 W and seis o/ 
formulae T and /A, we write: 

w\= r if \/tp g r.w n 95 

to =| Z\ if Vip & A.w ¥ f. 

As a corollary, for any world w, we vacuously have w 1= e and to =| e. 

Definition 8 (Consequence). Given two sets T and A of formulae, r\\- B1Int A 
means: 

MM = {W,K,$).Vw eW. ifw^ T then 3<p G A.w h 95. 
VFe write r\\/ Bilnt A to mean that it is not the case that r\\- BiIut A, that is: 

3M = (W,Tl,'&)3w G W.(w N r & w^A). 

Thus r\\f siIat A means that _Tlh B1Int Z\ is falsifiable. 

We wish to prove r lh B1Int A by failing to falsify _T lh B1Int A. By Definition 8, 
r\Y BiInt A means that there exists a Bilnt model M = (W, 1Z, 1)) that contains a 
world w G W such that wo 1= r and wo =| A. We therefore try to construct the 
model using a standard counter-model construction approach: see [7]. We shall 
start with an initial world wo and assume that wo N -T and wo =| Z\, and then 
systematically decompose the formulae in r and A. The procedure will cither: 

— lead to a contradiction and therefore conclude that it cannot be the case 
that wo NT and w =| A, therefore r , lh B1Int Z\ holds, OR 

— construct the counter-model successfully and therefore demonstrate that it 
is possible that w N r and w =| A, therefore r\\~ BiInt A does not hold. 

3 Our Sequent Calculus GBilnt 

We now present GBilnt, a Gentzen-style sequent calculus for Bilnt. The se- 
quents have a non-traditional component in the form of variables that arc in- 
stantiated at the leaves of the derivation tree, and passed back to lower sequents 
from premises to conclusion. Note that the variables are not names for Kripkc 
models and have no semantic content. 

3.1 Sequents 

First, we introduce an extended syntax that will help us in the presentation of 
some of our sequent rules. 

Definition 9 (Extended Syntax). The extended Bilnt formulae are defined 
as follows: 
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1. If tp is a Bilnt formula, then tp is an extended Bilnt formula, 

2. IfS and V are sets of sets o/Bilnt formulae, then V S and /\ V are extended 
Bilnt formulae. 

IfS = {{$,■■■ ,$?},•■• - ,V k m }} arid 

V = {{"0o> ' ' ' j "00 }: ' ' ' > O'nn ' " > V'm}}) ^ en / rem every extended Bilnt for- 
mula we can obtain a Bilnt formula as follows: 

V5e(^A...A^)V...V«A...A^) 
!\V = (Vo° V • • • V Vo") A • • • A « V • • • V 

From now on, we implicitly treat extended Bilnt formulae as their Bilnt 
equivalents. The following semantics follows directly from Definition 9: 

Definition 10 (Semantics of Extended Syntax). Given a Bilnt model 
M = (W,TZ,$), and a world w G W, we write: 

w^ys if Bres.w^r 

w =| j\V if 3A e V.w =| A. 

We can now extend the definition of forcing and rejecting to extended Bilnt 
formulae in the obvious way. If r and A are sets of extended Bilnt formulae 
viewed as their Bilnt equivalents, and tp is an extended Bilnt formula viewed 
as its Bilnt equivalent, then: 

w\= r if yip g r.w \= tp 

w =\ A if Vtp e A.w ¥ tp. 
Definition 11 (Sequent). A GBilnt sequent is an expression of the form 

v\\ r ^ A 

and consists of the following components: 

Left hand side (LHS): r, a set of extended Bilnt formulae; 
Right hand side (RHS): A, a set of extended Bilnt formulae; 
Variables: S, V, each of which is a set of sets of formulae. 

We shall sometimes use r h A to refer to sequents, ignoring the variable values 
for readability. We shall only do that in cases where the values of the variables are 
not important to the discussion. Note that the variables do not contain extended 
Bilnt formulae. 

We now define the meaning of a sequent in terms of the counter-model under 
construction. 

Definition 12 (Falsifiability). A sequent 

s v \\r^A 

is falsifiable [at wq in A4] if and only if there exists a Bilnt model A4 = 
(W, TZ, ■&) and 3w G W such that wo \= T and w =\ A. 
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Definition 13 (Variable conditions). We say the variable conditions of a 
sequent 




r h a 



hold if and only if 7 is falsifiable at w in some model M = (W, TZ, $) and the 
following conditions hold: 

^-condition: Successor condition 

3S e S.Vw e W.w Q Kw => w N S 
"P-condition: Predecessor condition 

377 e "P.Vuj e W.wKwq w =\ 77 

Lemma 3. 4 sequent r h A is not falsifiable if and only if r\\- BiIat A. 
Proof. Applying the negation of Definition 12 to r h Z\ gives /"Ih^^A 



3.2 Sequent Rules 

Definition 14 (Sequent Rule). 4 sequent rule is of one of the forms 

71 7 n \ Ti ' ' ' OVi 

(name) (name) — 

v ' 7o v ; 7o 

side conditions side conditions 

where "fi, < i < n for n > 0, are sequents. The rule consists of the following 
components: 

Conclusion: 70, written below the horizontal line; 

Premise(s): Optional, 71, • • • ,7„, written above the horizontal line; 

Name: Written to the left of the horizontal line; 

Side conditions: Optional, written underneath the rule; 

Branching: Universal (indicated by a solid line) or existential (indicated by a 
dashed line); explained shortly. 

To achieve completeness and termination for Bilnt, we combine a number of 
ideas from various existing systems for Int, as well as use variables for updating 
worlds with relevant information received from successors and predecessors. Our 
rules can be divided into two groups: traditional (Fig. 1) and non-traditional 
(Fig. 2). 

Our traditional rules (Fig. 1) are based on Dragalin's GHPC [5] for Int be- 
cause we require multiple formulae in the succedents and antecedents of sequents 
for completeness; we have added symmetric rules for the Duallnt connective — < . 
The main difference is that our (— >l) ru l° an( l the symmetric (— <r) carry their 
principal formula and all side formulae into the premises. Our rules for A and V 
also carry their principal formula into their premises to assist with termination. 
Note that there are other approaches to a terminating sequent calculus for Int, 
e.g., Dyckhoff's contraction- free calculi [6], or history methods by Heuerding et 
al. [10] and Howe [12]. These methods are less suitable when the interaction 
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(v B ) ■ 



r h A,ip\/ 4>,tp,4> 



S:=5i 



r h z\, y v V> 



(Vl) 



Si I 


| r, v v 4>, <p h z\ 


«2 1 




5: = S 1 US 2 1 
P: = P 1 UP2 | 


| r, <p v v h ^ 



r, cp —> \- tp, a 

S:=S 1 US 2 I 
•P:=PlUP 2 



52 I 
^2 I 



r,ip—*tf>,ii>\-A 



r, tp — > i/> h 4 



s 2 I 

P2 



ri-4 ¥>— < */>, y 



(-<r) ' 



S: = 



S 1 US 2 
T>lUT> 2 



r h A,tp-<ip 



For every rule with premises 7r; and conlusion 7, apply the rule only if: 
Wt.(LHS^ g LHS-y or RffS^ g RffS-y) 

Fig. 1. GBilnt rules - traditional 



between Int and Duallnt formulae needs to be considered, since they erase po- 
tentially relevant formulae too soon during backward proof search. Moreover, we 
found it easier to prove semantic completeness with our loop-checking method 
than with history-based methods since both [10] and [12] prove completeness 
using syntactic transformations of derivations. Consequently, while GBilnt is 
sound and complete for the Int (and Duallnt) fragment of Bilnt, it is unlikely 
to be as efficient on the fragment as these specific calculi. 

Our rules for — > on the right and — < on the left (Fig. 2) are non-traditional. 
The (— and (— <l) rules have two premises instead of one, and they are con- 
nected by existential branching as indicated by the dotted horizontal line. 
Existential branching means that the conclusion is derivable if some premise is 
derivable; thus it is dual to the conventional universal branching, where the con- 
clusion is derivable if all premises are derivable. We chose existential branching 
rather than two separate non-invertible rules so the left premise can communicate 
information via variables to the right premise. This inter-premise communica- 
tion and the use of variables is crucial to proving interaction formulae of Bilnt, 
and it gives our calculus an operational reading. 

When applying an existential branching rule during backward proof search, 
wc first create the left premise. If the left premise is non-derivable, then it returns 
the variables Si and V\ . We then use these variables to create the right premise, 
which corresponds to the same world as the conclusion, but with updated infor- 



(Ret) 



s:=m\\ r , . 

■P: = {A.} W 1 ^ ^ 

where no other rule is applicable 



Si 



S:=Si 
"P: = T>1 



r h 4, y — » v 



(-<£) 



S:=Si 
•P: = -P, 



-T, y — < i\>\- A 



(-*) 



?i 1 1 r > ^ h ^ 



£ 2 2 1 1 r h zi, v - v, A -Pi 



(Si /Pi ifPi = e 

5/7":=^ S2/V2 if right prcm created 

I {-O /{-^j V ~" * V*} otherwise 
right prem created only if Pi 7^ e & V77i £ Pi . 



r 1- a, tp — > v 

/Ti g {zi, ^ -> i/>} 



(-<!.) 



s 2 

^2 



S/-P:: 



Si /Pi 
S2/P2 



r,tp -<■>!>, VSi h zi 

r, <p-<i> h zi 



if Si = e 

if right prem created 



. {-T, y> — < i/>}/{Zi} otherwise 
right prem created only if Si 7^ e & VI7i G Si-Ei 2 {^ t / ?— 



(A S ) 



Sl 

Pi 



r\- A,n x 



\r\- A,n n 



•S:=U™ s ( 

T:=U? Pi 



r h A,/\n 



(Vi) 



Sl 



r, h zi 



S:=U" Si 
P:=U? Pi 



r, V s h zi 



For every universally branching rule with premises 7r; and conlusion 7, 
apply the rule only if: Vm.(LH % LHS-, or RHS Vi % RHS-y) 
For every existentially branching rule with left premise it and conlusion 7, 
apply the rule only if: LHS* % LHS-y or RHS* % RHS-, 



Fig. 2. GBilnt rules - non-traditional 



mation. Our existential branching rules work together with (Ret) , which assigns 
the variables at non-derivable leaves of failed derivation trees, and (Aij) ancl 
(Vl)> which extract the different variable choices at existential branching rules. 

The conclusion of each of our rules assigns the variables based on the 
variables returned from the premisc(s), and we use the indices i, 1, 2 to indicate 
the premise from which the variable takes its value. For rules with a single 
premise, the variables are simply passed down from premise to conclusion. For 
example, the conclusion of (Al) in Fig. 1 assigns S := Si, where Si is the 
value of the variable at the premise. However, for rules with multiple universally 
branching premises, we take a union of the sets of sets corresponding to each 
falsifiable premise. For example, the conclusion of (/\ R ) in Fig. 2 assigns S := 
(J™ Si , where <S, is the value of the variable at the i-th premise. 

This way, the sets of sets stored in our variables determinise the return 
of formulae to lower sequents - each non-derivable premise corresponds to an 
open branch, and at this point we do not know whether it will stay open once 
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processed in conjunction with lower sequents. Therefore, we need to temporarily 
keep all open branches: see Example 2. Then the intuition behind adding [\V 
to the right premise of (—*r) is that the subsequent application of (/\ R ) will 
create one or more premises, depending on the cardinality of V . Since V is a set 
of sets representing all the open branches, all of the premises of (f\ R ) have to be 
derivable in order to obtain a derivation. On the other hand, if some premises 
of (Aij) are non-derivable (open), we form the set that consists of the union 
of the variables returned by those premises, and pass the union back to lower 
sequents, and so on. The premises that are derivable contribute only e and are 
thus ignored by the union operator. Also, we only create the right premise of 
(— if every member of V introduces new formulae to the current world. 
Otherwise, the current world already contains one of the open branches, which 
would still remain open after an application of (/\ R )- To summarise, the sets-of- 
sets concept of variables is critical to the soundness of GBilnt, as it allows us 
to remember the required choices arising further up the tree. 

The extended syntax allows us to syntactically encode the variable choices 
described above. While the variables S and V are sets of sets when we pass them 
down the tree and combine them using set union, we use \J S on the left and 
f\ V on the right of the sequent to reflect these choices when we add V S or [\ V 
to the right premise of an existentially branching rule. Then the (Vl) an d (Ar) 
rules break down the extended formulae V S and /\ V to yield several premises, 
each corresponding to one variable choice. Thus the extended syntax allows us 
to give an intuitive syntactic representation of the variable choices. 

We have also added the rule (—> R ) for implication on the right (and dually, 
(^£)) originally given by Svejdar [18]. Rather than immediately creating the 
successor for a rejected tp — > ip, the (— > R ) rule first pre-emptively adds ip to 
the right hand side of the sequent. Although Svejdar himself does not give the 
semantics behind this rule, and is unable to explain the precise role it plays in 
his calculus, it is very useful in our termination proof. The rule effectively uses 
the reverse persistence property - if some successor v forces if and rejects ip, 
then the current world w must reject ip too, for if w forces ip, then by forward 
persistence so does v, thus giving a contradiction. 

The side condition on each of our rules is a general blocking condition, 
where we only explore the premisc(s), if they are different from the conclusion. 
For example, in the (A_r) case, the blocking condition means that we apply the 
rule in backward proof search only if (p $ A and ip ^ A, since otherwise some 
premise would be equal to the conclusion. 

GBilnt also has the subformula property. This is obvious for all rules, 
except (— > R ) and the dual (— <l)- For these, the right premise "constructs" the 
formulae /\ V and V S. However, since V and S are sets of sets of sub formulae 
of the conclusion that are again extracted by {/\ R ) and (V L ), the right premise 
of (— > R ) and (^Cl) effectively only contains subformulae of the conclusion. 

Definition 15 (GBilnt tree). A GBilnt tree for a sequent 



s 

V 



r h a 
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is a tree rooted at ^, 1 1 F h A, such that: 

1. Each child is obtained by a backwards application of a GBilnt rule, and 

2. Each leaf is an instance of a (J_l), (Tjj), (Id) or (Ret) rule. 

Definition 16. A GBilnt tree T rooted at j = ^\ \ T h A is a derivation if: 

1. 7 is the conclusion of a (J-l), (Tr) or (Id) rule application, OR, 

2. 7 is the conclusion of a universal branching rule application, and all its 
premises are derivations, OR, 

3. 7 is the conclusion of an existential branching rule application, and some 
premise is a derivation. 

We say that 7 is derivable if there exists a derivation for 7. 
We say that 7 is not derivable if 7 has no derivation. 



3.3 Examples 

In the following examples, we use a simplified version of the (Ar) rule, which 
discards the principal formula from the premises, merely to save horizontal space. 
Also, we only show non-empty variable values. 

Example 1. The following is a derivation tree of Uustalu's counterexample, the 
interaction formula p — > (q V (r — > ((p— < q) A r)), simplified to the sequent 
p h q, r — ► ((p— < q) A r). We abbreviate X := r — > ((p— < 9) A r). The tree 
should be read bottom-up while ignoring the variables S and "P. At the leaves, 
the variables are assigned and transmit information down to parents and across 
to some siblings. The top left application of (Ret) occurs because an application 
of the (— < r) rule to the bolded p— < q is blocked, since its left premise would 
not be different from its conclusion. 

Notice that the key to finding the contradiction is the bolded p — < q formula 
that is passed from the left-most leaf node back to the right premise (1) of the 
(— rule. Also, the (A_r) rlue m (1) is unary in this case, since the returned V 
variable contains only one set of formulae. 



{Ret) ■ 



(-<*)■ 



S: = {{p,r-,,}} 
T> : = {{p-<q}} 



(Id)- 



p,r,q h p — < q 



,r\-p—<q,p 



(As) 



S: = {{p, r ,q}} 
P: = {{p-<q}} 



p. r h ; 



< q 



(id) 



p,r h r 



(-»*) 



# : = { { { { ^ q } } } } ||p,rh(p-<g)Ar 



(1) 



p h qr, r -> ((p-< g) A r) 



Where (1) is: 



(id) ■ 
(-<*)■ 



p,qh g, X, p — < q 



(Id). 



p h g, X, p — < <j, p 



(A fl )' 



p h g,X,p~<q 
phg,X,A{{p-<q}} 
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Example 2. The following example is a GBilnt-tree of a falsifiable sequent, 
and it shows how in the case of multiple choices for the variables, a contra- 
diction caused by one of them does not give us a derivation. We abbreviate 
Y := (T^Cp) A (T^Cq), and X := Y 



(Ret) 
(Ah) 



S: = {{X}} 
V: = {{T-<p}} 



(Ret) ■ 



X h±,T-<p 



S. = {{X}} 

P : = {{T-<q}} 



X h_L, T-<q 



{T -<p}, 
{T-<q} 



X h_L, F 



(-Li)- 



A". _Lh_L 



{T-<p}, 
{T-<q} 



Where (2) is: 

(id) — (T H ) — 
(-<«) 



hp,X -^_L,T-<p 



(-<r) 



(Th) 



ghp.X -^_L,T-<q 



(Ah) ' 



-{{■:::„}} 



hp, A- -^_L,T-<g 







-{{;'-;:}) 


hp,X ^±,A|{T-<p} : {T-<q}| 



In this case, the (f\ B ) rule in (2) has two premises, since the returned V 
variable contains two sets of formulae. Since only the left premise of the (f\ R ) rule 
is derivable, the conclusion is not derivable. Thus, the open branch corresponding 
to the bolded member {T— < q} of V remains open. If we did not return both 
variable choices from the left sibling of (2), then we might mistakenly derive (2) 
without seeing this open branch. 

Lemma 4. If a GBilnt-free T rooted at 7 = ^ 1 1 r h A is a derivation then 
S = V = e. 



(2) 



Proof. By induction on the longest branch in T. 



3.4 Termination Proof 

We first show that proof search in GBilnt terminates because the subsequent 
soundness proof relies on our ability to receive the variables from the left premises 
of transitional rules. 

Definition 17. The rules of GBilnt are categorised as follows: 
Operational: (Ret); 
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Function Prove 

Input: sequent 70 

Output: Derivable (true or false) 

1. If p £ {(Id), (-Li)i (T«)} applicable to 70 then 
(a) Return true 

2. Else if any special or static rule p applicable to 70 then 

(a) Let 71, • • ■ , 7n be the premises of p 

(b) Return /\ Prove(ji) 

3. Else for each transitional rule p applicable to 70 do 

(a) Let 71 and 72 be the premises of p 

(b) If V Prove(ji) = true then return true 

4. Endif 

5. Return false. 

Fig. 3. Proof search strategy. Note that we have left out the variables for simplicity. 
A"=i Prove(-yi) is true iff Prove(-yi) is true for all premises 7, for 1 < i < n, and 
Vie{i 2} Prove^i) is true iff Prove(-yi) is true for some premise ji for i £ {1, 2}. 



Static: (Jd), (_L L ), (T fl ), (A L ), (Vl), (A fl ), (V*), Hi), (-< «), (-£), 



The intuition behind the classification of the logical rules is that the static 
rules add formulae to the current world in the counter-model, the transitional 
rules create new worlds and add formulae to them, and the special rules decom- 
pose variables returned from non-derivable leaves. We shall prove this formally 
for each rule later. The classification justifies the following search strategy. 

Definition 18 (Strategy). The strategy defined in Figure 3 is used when ap- 
plying the rules of our sequent calculus in backward proof search. Note that we 
have left out the variables for simplicity. 

Definition 19 (Subformulae). For a Bilnt formula, we define the subformu- 
lae as follows, where p £ Atoms and <p, i[> G Fml: 



Logical: 




Transitional: (—>r), ( 
Special: (\/ L ), (f\ R ). 




sf(p) = M 



s/(^vv) = sf(<p) u s/(V>) u y v V} 

8f(<pAip) = sf(tp) U s/(V>) U A V} 
sf(y - V) = */(¥>) u u W - V} 
sf{v>^iP) = */fo>) U s/(V>) U {<^V} 

*/(V5) = u 



*/(AP) = U s ^ r ) 



nev 
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For a set r of extended Bilnt formulae, we define sf{r) = yj s/(x). 

xer 



Note that the subformulae of V <? and /\ V do not include the conjunctions 
and disjunctions implicit in their Bilnt equivalents. 

Definition 20 (LEN). Let >i en be a lexicographic ordering of sequents: 

(A h A 2 ) > len (A b A x ) iff |A| > |A| or 

\r 2 \ = |A| and \A 2 \ > \A X \ 

Definition 21. Given a GBilnt-free T and a branch B in T , we say that B is 
forward-only if B contains only applications of static and special rules, (— 
and the right premises of {— <l). Similarly, B is backward- only if B contains 
only applications of static and special rules, (— <l) and the right premises of 
(— A branch is single- directional if it is either forward- only or backward- 
only. Finally, a branch contains interleaved left premises of transitional rules if 
it contains a sequence (• • • , 7i, • ■ • , 7j, • ■ • , 7fe, • • • ) such that 7, is the left premise 
of (— Jj is the left premise of (—<l)> an d Ik is the left premise of (—►#). 

Lemma 5. Every forward-only branch of any GBilnt-tree is finite. 

Proof. We show that on every such branch, the length of a sequent defined 
according to >; e „ increases. 

Consider a rule p, and a backwards application of p to some r h A, which 
yields n premises A h4„ where 1 < i < n. 

We show that if p is a static rule, then for all premises i, we have (A h 
Ai) > len (r h 

pe {(A L ), (V L ), (^£)}: Then |A| > |r|; 
p = (-£): Then |A| - |r| and |^| > \A\; 

p= (— Then for the left premise, |A| = |-T| and |Z\i| > Z\|, and for the 

right premise, \r 2 \ > \r\; 
p= (—<r): Then for the left premise, |A| > |^|, and for the right premise, 

\r 2 \ = \r\ and \A 2 \ > \A\. 

We now show the cases for p G {(—►#), (— <l), (Ajj)) (Vl)}- Even though 
the right premise of (— and (— <i) itself is not greater than the conclusion, 
we show that the lemma holds on the overall GBilnt branch, since according 
to the strategy we immediately apply (/\ R ) or (\/ L ), thus increasing the length 
of the premise according to >i en . 

p = (— For every (— >.r) rule application: 

1. Consider the left premise A b Z\i. We know that according to our 
strategy, the (— >I R ) rule has already been applied and thus ip G A, so 
(— is applied only if ip £ r. Therefore, for the left premise, we have 

iai > m 
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2. Consider the right premise r% h^. It is created only if 

Vi + e & e Pi-ili ^ {A p -» V}- (3-1) 

That is, every member of V\ introduces new formulae to the RHS. But 
recall that sf{f\V\) C s/(r U Z\). According to our strategy, the (/\ R ) 
rule will be immediately applied to /\ V\ in Ai , giving n > 1 premises 
_T| h Z\j where 1 < j < n. By 3.1, we will then have \A 3 2 \ > \A\ for 
all j. We also have |-T|| = \T\ for all j. Therefore, according to the 
lexicographic ordering, we have (T| h A) >ien (-T b Z\) for all the 
premises _T| b Aj. 

p = (A_r) : Since the (A,r) ru l e is only used in conjunction with the right premise 

of the (— >a) rule, see case 2 above; 
p = (— < l): For every (— < l) rule application: 

1. The assumption of the lemma does not apply to the left premise; 

2. The case for the right premise is dual to the case for (— > R ) above. 
p = (Vl) : By symmetry with the case for (/\ R ) above; 

Since the length of a sequent defined according to >i en increases on every 
forward-only branch as shown above, and since GBilnt has the subformula 
property, eventually no more formulae can be added to a sequent on a forward- 
only branch, and the branch will terminate. 

Lemma 6. Every backward-only branch of any GBilnt-tree is finite. 
Proof. By symmetry with Lemma 5. 

Lemma 7. // a GBilnt-iree contains an infinite branch, then the branch con- 
tains an infinite number of interleaved left premises of transitional rules. 

Proof. By Lemmas 5 and 6, single-directional branches must eventually termi- 
nate. Thus, a potential infinite loop must involve an infinite number of inter- 
leaved left premises of transitional rules (— and (— <z,). 

Definition 22 (Degree). The degree of a Bilnt formula x is defined as: 

{0 if x £ Atoms 

deg(if) + deg(4>) if X G {<p V V, <f A ip} 
deg{ip) + deg(ip) + 1 if x G W -> V>, f^^P} 

Thus, the degree of ip is the number of— > and — < connectives in ip. 
The degree of a sequent T b A is defined as: 

deg(r b Z\) = Yl de 9^) 
v esf(ruA) 

Note that we have deliberately defined the degree of a sequent as the sum of 
the degrees of subformulae, because it allows us to make the following observa- 
tions, which will be crucial in the main termination proof. 
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Corollary 1. Since GBilnt has the sub formula property, the degree of a sequent 
can never increase in backward proof search. In other words, no GBilnt rule can 
increase the degree of a sequent. 

Corollary 2. Given two sequents^/i and 72, 1/3/(72) C 5/(71), then deg^z) < 
deg^i). That is, removing some formula ip from a sequent during backward proof 
search decreases the degree of the sequent if p is not a subformula of any other 
formula in the sequent, since ip no longer contributes to the sum of degrees of 
subformulae. 

Theorem 1 (Termination). Every GBilnt-tree constructed according to the 
strategy of Definition 18 is finite. 

Proof. Suppose for a contradiction that there exists an infinite GBilnt-tree T. 
Since every rule has a finite number of premises, i.e., finite branching, then 
by Konig's lemma an infinite tree can only be obtained by having a branch of 
infinite length. Thus, T has an infinite branch B. By Lemma 7, B must contain 
an infinite number of interleaved left premises of transitional rules, as shown 
below: 



r 2 ~ A 2 ,p 2 -> i>2 



(pi h ipi, Ai ir{ 

ri,<pi—<ipi 1- Ai 



7T = (-To h A a ,(p Vo) 



Let x G sf(no) be some formula such that deg{\) = max({deg((p) \ ip G 
s /( 7r o)}), that is, x is one of the subformulae with the maximum degree. In 
particular, this means that \ is not a subformula of any formula with a larger 
degree. We shall now show that \ & s f{ n 2)- 

There are two cases: 

X g sf(r ): Then x e s/(A)) or x = <^o -> V'o- In both cases, x £ sf(n 2 ). 
X € s/(rb): Then it cannot be the case that x € sfifi) or X € s f{^Pi)i since 
then deg(ipi~< ipi) > deg(x), contradicting our assumption that deg(x) — 
max({deg(ip) \ ip G s/(7r )}). Therefore, either: 
— x an d au hs occurrences in subformulae disappear from the sequent at 
the premise of (— <l), in which case x ^ 3/(772), or 
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— x is moved to the RHS of the sequent by applying the (— >l) rule to 
some formula \ — > r. However, since deg(x — > t) > deg(x), it again 
contradicts our assumption that deg(x) = max{{deg(ip) \ tp E sf(wo)})- 

We have shown that for some formula x we have x S s/(7To) and x ^ s f( 7r 2)- 
Also, by the subformula property of GBilnt we have s/(7r 2 ) C s/(7r ). Together 
with x e s/(ti"o) an d X ^ s f(^2), this means s/(7r 2 ) C s/(7t ). Then by Corol- 
lary 2 we have deg(-Ki) < deg(no). Note that the steps indicated by vertical 

ellipses (:) are arbitrary, since by Corollary 1 no rule can increase the degree of 
a sequent. 

Since we have deg(iT2) < deg(wo), we know that every sequence of interleaved 
transitional rule applications must decrease the degree of the sequent. This can 
only happen a finite number of times, until no more transitional rules are ap- 
plicable. Therefore our assumption was wrong, and no branch B can be infinite. 
Therefore, every GBilnt-tree is finite. 

4 Soundness 

4.1 Proof Outline 

Instead of the traditional approach of showing that each rule application pre- 
serves validity downwards, we use the notion of falsifiability and show that each 
rule application preserves falsifiability upwards. We then use Lemma 3 to make 
the connection between falsifiability and validity. 

Also, our addition of variables to the calculus introduces a two-way flow 
of information in the GBilnt trees, and this complicates the usually simple 
soundness proof. 

We separate the notion of soundness into two: local soundness, applicable 
locally to a single rule application, and global soundness, which takes into account 
the propagation of variables from the leaves down to some node, and possible 
instances of the operational (Ret) rule. Note that locality here refers to locality 
in the GBilnt trees, not locality in the underlying Kripkc models. We use the 
notions of static and transitional rules to classify the rules according to this 
latter notion. 

4.2 Local soundness 

Definition 23 (Local soundness). A logical rule in GBilnt is locally sound 
if and only if: 

— For rules with universal branching: if the conclusion is falsifiable, then some 
premise is falsifiable; 

— For rules with existential branching: if the conclusion is falsifiable, then all 
premises are falsifiable. 
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We shall now show that each static and special rule is locally sound, and we 
shall then use induction on the height of a derivation tree to extend our proof 
to arbitrary trees containing static rules, special rules, transitional rules and the 
operational (Ret) rule. 

Lemma 8. Each static and special rule of GBilnt is locally sound. 

Proof. We consider each static and special rule in turn. We assume that the 
conclusion is falsifiablc, and show that some premise is falsifiablc. 



1. 



(Id) 



f;- e £ ||/>h A, ip 



The conclusion of this rule is never falsifiable, because no Bilnt model can 
contain a world w such that w 1= ip and w ¥ tp. 



S:=e I 
V:=e I 



r,j_h A 



The conclusion of this rule is never falsifiable, because by Property 5 of 
Definition 4, no Bilnt model can contain a world w such that w N_L. 

(Th) 



V:-- 



rhAT 



The conclusion of this rule is never falsifiable, because by Property 4 of 
Definition 4, no Bilnt model can contain a world w such that w¥- T. 



(Ail) 



Si 

v 1 


r h a, ip Atp,tp 


s 2 
v 2 


r b A,p Aip,ip 


5:=5iU5 2 
V:=ViUV 2 


r\- A,(pAtp 



Since the conclusion is falsifiable by assumption, we know from Definition 
12 that there exists a world wq such that: 

(i) wo 1= r and 

(ii) w H A,<P A ip- 

From the semantics of A in Bilnt, (b) implies that either: 

(11.1) wo H A, ip A -0, ip or 

(11.2) w =| A,ip A 

To show that some premise of the (A^) rule is falsifiable, we need to show 
that there exists a world w' such that some premise is falsifiable at w' . We 
let w' — Wq. 

Then case (ii.l) together with (i) gives us that the left premise is falsifiable, 
or case (ii.2) together with (i) gives us that the right premise is falsifiable. 



(Vl) 



Si 
Ti 


r,pv ip,tp\- A 


s 2 
v 2 


r, ^ v ip, ip v- a 


S:=SiL)S 2 
V—V1UV2 


r,pvip\- a 



By symmetry with the (A_r) rule. 
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G. 



Si 

Pi 




S: 
P: 


=Si 

=P1 





Since the conclusion is falsifiable by assumption, we know from Definition 
12 that there exists a world wq such that: 

(i) w \= r and 

(ii) wo =| A, tp V -0 

To show that the premise of the (Vr) rule is falsifiable, we need to show 
that there exists a world w' such that the premise is falsifiable at w' . We let 

w' — Wq. 

From the semantics of V in Bilnt, (ii) implies that wq —\ A,ip V ip,ip and 
wq =| A, ifVtp, ip. Together with (i), this means that the premise is falsifiable. 

7. 



(Al) 



Si 
Pi 


r,<p Aip,<p,ii) \- a 


S: 
P: 


=Si 

=P1 


T, lyS a v i- ^4 



By symmetry with the (V^) rule. 

8. 



Si 

Pi 




r,ip ^ a 


S:=SiUS 2 
7>:=PiUP 2 


r,Lp^ipv- a 



Since the conclusion is falsifiable by assumption, we know from Definition 
12 that there exists a world w such that: 

(i) wo 1= r, ip — ► tp and 

(ii) w =\A. 

From the semantics of — > in Bilnt, (i) implies that for all successors w, we 
have w ¥ (p or w N ip. 

By refiexivity of 1Z, this applies to w too, so we have: 

(1.1) w ¥ ip or 

(1.2) wq N V- 

To show that some premise of the (— >l) rule is falsifiable, we need to show 
that there exists a world w' such that some premise is falsifiable at w' . We 
let w' = wq. 

Then items (i), (ii) and (i.l) give us that the left premise is falsifiable, or 
items (i), (ii) and (i.2) give us that the right premise is falsifiable. 



Si 

Pi 




r h a, ip— < ip, ip 


S:=SiUS 2 
P:=PlUP 2 


r h A,ip~<tp 



By symmetry with (—►/,)■ 
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10. 



Si 

Pi 



r b z\, 95 -> -0,-0 



5:=5i 



r\-A,<p->i> 



Since the conclusion is falsifiable by assumption, we know from Definition 
12 that there exists a world u>o such that: 

(i) wq \= r and 

(ii) w =| A, ip -> V>. 

From the semantics of — ► in Bilnt, (ii) implies that there exists a successor 
wi such that: 

(iii) wqIZwi and 

(iv) w\\= ip and 

(v) Wi b" 0. 

Then, by the reverse persistence property of Bilnt, and (iii) and (v), we 
have: 

(vi) wo ¥ ip- 

To show that the premise of the (— rule is falsifiable, we need to show 
that there exists a world w' such that the premise is falsifiable at w' . We let 
w' = w - 

Then items (i), (ii) and (vi) give us that the premise is falsifiable. 



11. 



Si 

Pi 


r 




<ip b A 


S:= 
V: = 


Si 

Pi 




<</> b Z\ 



12. 



By symmetry with 



Si 

Pi 




A 


S„ 

Pn 


r, r„ b z\ 






P, 


r, V £ b zi 



(Vl) 



Since the conclusion is falsifiable by assumption, we know from Definition 
12 that there exists a world Wo such that: 

(i) w b r, V £ and 

(ii) w H A. 

From the semantics of V S (recall Definition 10), (i) implies that: 

(iii) for some Si E S, we have Wo b Si- 

To show that some premise of the (Vl) ru l e is falsifiable, we need to show 
that there exists a world w' such that this premise is falsifiable at w'. We let 
w' = Wo- 

Then items (i), (ii) and (iii) give us that the i-th premise containing Si is 
falsifiable at w - 



13. 



(A«) 



Si 

Pi 


rh A,n 1 


s„ 

Pn 


r\-A, n n 


S:=U?Si 


r\-A,/\n 
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By symmetry with (Vl)- 

Remark 1. Note that the static rules also preserve falsifiability downwards: if 
some premise 7r is falsifiable, then the conclusion 7 is falsifiable. This is easy to 
see, since we have LHS^ 3 LHS^ and RHS^ 3 RHS^. 

4.3 Global soundness 

We have shown that all the static and special rules preserve falsifiability upwards, 
in other words, they are locally sound. Since the S and V variables propagate 
downwards, from the leaves to the root, we can only reason about the variable 
conditions of rules when we consider an entire tree rooted at a rule application. 
Similarly, since the soundness of the transitional rules relies on the variables, we 
can only reason about it we consider an entire tree rooted at a transitional rule 
application. We shall now show that GBilnt rules are globally sound, that is, 
they preserve falsifiability upwards and variable conditions downwards. 

Lemma 9 (Global soundness). Given any GBilnt tree T, for every sequent 
70 € T , the following holds: if 70 is falsifiable, then: 

1. Some universally branching, or all existentially branching, premises are fal- 
sifiable, 

2. The variable conditions hold at 70 . 

Proof. By induction on the length h(jo) of the longest branch from 70 to a leaf 
sequent of T. 

Base case: h(-fo) = 0. So 70 itself is an instance of (Id), (J-l), (~Tr), or (Ret). 
(Id), (^l), (Tij): The conclusion of these rules is never falsifiable, so there 

is nothing to show. 
(Ret): 

The conclusion of the (Ret) rule is r h A, and there is no premise. From 
the side condition of the (Ret) rule, we know that no other rules are 
applicable to r h A. We will now show that r h A is falsifiable, and 
that it obeys the variable conditions. 

We create a model with a single world wo, and for every atom p in r, we 
let $(wo,p) — true, and for every atom q in A, we let $(wo,q) = false. 
Note that an atom cannot be both in r and A, since the (Id) rule in 
particular is not applicable to r h A. 

To show that r h A is falsifiable at wo, we need to show that wo 1= r 
and wo =\ A. For every atom in r and A, the valuation ensures this. 
For every composite formula ip, we do a simple induction on its length. 
The fact that the (Ret) rule is applied implies that no other rules are 
applicable, therefore the required subformula ip is already in r or A as 
appropriate, and ip falls under the induction hypothesis. 
Thus we know that: 
(i) wo \= r and 
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(ii) w =| A 

Then (i) and the persistence property of Bilnt give us that Vw E W : 
w lZw => w N r. Similarly, (ii) and the reverse persistence property of 
Bilnt give us that Vw E W.wlZwo =>■ w =\ A Then the conclusion of 
the (Ret) rule obeys the variable conditions: 
<S-condition: Successor condition 

BE E {r}.Vw E W.w Kw ^w\= E 
^-condition: Predecessor condition 

377 E M}.Vw E W.wKwq => w =| 77 
Induction step: We assume that the lemma holds for all 70 with /i(7o) < k, 
and show that it holds for all 70 with /i(7o) < k + 1. 

Consider the rule application p such that 70 is the conclusion of p. By the 
assumption of the lemma, we have that the conclusion 70 of p is falsifiable 
at some w in some model M = (W, 1Z, $) . The only possibilities are that p 
is a static or a special rule, or that it is a transitional rule: 

1. p is one of the static or special rules (universally branching). Then 
Lemma 8 tells us that some premise is falsifiable. We now need to show 
that the variable conditions hold at 70. There are two cases: 

p is unary: The premise 71 of p has h (71) < k, therefore the induction 
hypothesis applies to 71. By Lemma 8 and the fact that 70 is falsi- 
fiable at wo, we know that the premise 71 is falsifiable at wq, so by 
the induction hypothesis we have that the variable conditions hold 
at 71. Since 71 has the same variables as 70, and since 71 is falsified 
by the same world wo as 70, we then know that 70 also obeys the 
variable conditions. 

p is n-ary with n > 1: We show the case for S; the case for V is sym- 
metric. The premises 71 to 7„ of p each have 7, < k, therefore the 
induction hypothesis applies to each 7^. By Lemma 8 and the fact 
that 70 is falsifiable at w , we know that some 7 m is falsifiable at 
wo, too. Therefore the induction hypothesis tells us that the variable 
conditions hold at j m . That is, we know that: 

3E m E 5 m .Vw E W.wqR,w => w 1= E rn . 

To show that the conclusion 70 obeys the variable condition for S, 
we need to show the following: 

n 

BE E (J <S 4 .Vw E W.woKw =>w\=E. 
1 

Since E m E S m and S m C (J" Si, we have E m E |Ji $i an d thus the 
variable conditions hold for S at the conclusion 70. 

2. p is one of the transitional rules (existentially branching). We show the 

case for the (— rule, the case for the (— <l) rule is symmetric: 



H-r - - 

S/P: = < S2/V2 if right prom created r h A, tp — > V 

[ {-O /{-^j V ~" ^ ^} otherwise 
right prcm created only if Pi 7^ e & Vi7^ G Vi.IJi 2 {^Vv 2 — * V^} 
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So suppose that the conclusion is falsifiable. Then we know from Defini- 
tion 12 that there exists a world wq such that: 

(i) w \= r and 

(ii) w =| A, ip V- 

From the semantics of — > in Bilnt, (ii) implies that there exists a suc- 
cessor i«i such that: 

(iii) w TZwi and 

(iv) !«! N </? and 

(v) wi Y- ip. 

(a) To show that the left premise of the rule is falsifiable, we 
need to show that there exists a world w' such that this premise is 
falsifiable at w' . We let w 1 — w\. 

Then items (i), (iv) and (v) give us that the left premise is falsifiable. 
Now, the left premise 71 is of distance < k from the furthest leaf 
node of T, therefore the induction hypothesis applies to 71. By the 
hypothesis assumption, since 71 is falsifiable at wi , we have that the 
variable conditions hold at 71. In particular, the V condition holds, 
giving us: 

377 e Vi.yw G W.wKw 1 ^w=\II (4.1) 

Now there are two cases: either the right premise was created, or 
it was not (and there is nothing to show). If it was created, then 
we need to show that it is falsifiable by exhibiting a world w" such 
that the right premise is falsifiable at w". We let w" = wq. Then, 
since wolZwi, we have wo =\ II by (4.1). Since 77 G V\, then by 
Definition 10 we have that w =\ f\V\. Together with (i) and (ii), 
this means that the right premise is falsifiable at wq. 
Moreover, the variable conditions hold at the right premise, since it 
also is falsifiable, and of distance < k from the furthest leaf node of 
T, so the induction hypothesis applies to it. 

(b) We need to show that the variable conditions hold at the conclusion 
70 of the (— >h) rule. We show the case for the variable S; the case 
for V is symmetric. We need to show that: 

3S G S.Vw G W.woTlw =>w\=S (4.2) 

r Si if V x = e 
Where S := < S2 if right prem created 
[ {r} otherwise 

Since we have shown that the variable conditions hold at the left 
premise, we know that in particular V\ 7^ e. Therefore there are two 
cases: cither the right premise was created, or it was not: 
— If the right premise 72 was created, then we know that the vari- 
able conditions hold at 72, since 72 falls under the induction 
hypothesis. This gives us: 

3S 2 G S 2 .Vw G W.woTZw =>w\= £ 2 
Thus S := S 2 obeys (4.2). 
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— If the right premise was not created, then we need to show that 
{r} obeys the variable conditions at the conclusion. Now, we 
have wo N r by (i), and then the persistence property tells us 
that Vw e W.wqKw =^ w N r. Thus S := {r} obeys (4.2). 



4.4 Main Soundness Proof 

Lemma 10. If T h A is derivable then r h A is not falsifiable. 

Proof. By induction on the height k of the derivation. 

Base case: For the base case, the height is 1. A derivation of height 1 can 
only be an instance of (J-l), 0~r) or (Id). In each case, 7 is not falsifiable, as 
shown in cases 1 to 3 of Lemma 8. 

Inductive step: We assume that if there is a derivation for 7 of height < k, 
then 7 is not falsifiable. We show that if there is a derivation for 7 of height 
< k + 1, then 7 is not falsifiable. 

For a contradiction, suppose there is a derivation T for 7 of height k + 1 and 
7 is falsifiable. Consider the bottom-most rule application p in T, then 7 is the 
conclusion of p. 

Then, by Definition 16, since T is a derivation, then all universally branching 
premises, or some existentially branching premise of p are rooted at derivations 
of height < k, so by the induction hypothesis, all universally branching premises 
are, or some existentially branching premise is not falsifiable. But since the 
conclusion 7 of p is falsifiable by supposition, then by Lemma 9, some universally 
branching premise, or all existentially branching premises are falsifiable. Now we 
have a contradiction, therefore our assumption was wrong and 7 is not falsifiable. 

Theorem 2 (Soundness). If r h A is derivable, then r\\- B . Iat A. 

Proof. By Lemma 10, we have that r h A is not falsifiable. Then by Lemma 3, 
we have r lh B1Int A 



5 Completeness 

5.1 Proof Outline 

We wish to prove: 

if rih B1Int Z\, then r h A is derivable. 
Instead, we prove the contrapositive: 

if r h A is not derivable, then there exists a counter-model for -Tlk. T A. 

' Bilnt 

Our proof is based on a standard technique for proving completeness of tableau 
calculi: see [9] . We have adapted this technique to a two-sided sequent calculus 
with variables. 

We assume that r h A is not derivable, meaning that none of the GBilnt- 
trees for r h A is a derivation. Then we choose formulae from sequents found in 
possibly different GBilnt-trees for r h A in order to construct a counter-model 
for r !h Bllnt A The counter-model is constructed so that it contains a world w 
such that w \= r and w —\ A, hence r\\- BiInt A does not hold. 
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5.2 Saturated Sets 



Definition 24. Given a sequent r h A, we say that: 

— r h A is consistent if all of the following hold: 

1. ±<^r 

2. T (£A 

3. rnA = e 

— r h A is closed with respect to a GBilnt rule p if either: 

• p is not applicable to r h A, or 

• Whenever r h A matches the conclusion of an instance of p, then for 
some premise F\ h A\ of the instance of p, we have ACT and Ax C A. 

— r h A is saturated if it is consistent and closed with respect to the static 
rules of GBilnt. 

The following corollaries follow directly from the definition of consistent se- 
quents. 

Corollary 3. If r h A is consistent, then none of the rules (Id), (J-l), (T r) 
is applicable to it. 

Corollary 4. If the sequent 

$\\r\-A 

is not derivable, then r h A is consistent for all values of S and V. 

Remark 2. As usual, every sequent has a set of one or more "saturations" due 
to the branching of (Ar), (Vj,), etc., rules. The usual approach is to non- 
deterministically choose one of the non-derivable premises of each such rule. 
However, in the presence of the inverse relation, a branch that appears open 
may close once we return variables to a lower sequent. Therefore, we need to 
temporarily keep all the non-derivable premises, since we do not know which of 
the open branches will stay open when we return to a lower sequent. 

Lemma 11. For each finite non-derivable sequent r h A, there is an effective 
procedure to construct a finite set £ = {eti, ■ ■ ■ ,a n } of finite saturated sequents, 
with ruAC LHS(a 3 ) U RHS(a 3 ) C s/(T) U sf(A) for all I < j < n. 

Proof. Since r h A is non-derivable, we know from Corollary 4 that r h A is 
consistent. Then from Corollary 3 we know that the (Id), (J-l), 0~r) rules are 
not applicable to r h A. Let T = r h A. While some static rule p is applicable 
to a leaf of T, extend T by applying p to the leaf to obtain new leaves. Keep 
the non-derivable leaves only; by Corollary 4 they are consistent. By Theorem 1, 
the saturation process will eventually terminate; let ( — {ax,-- - ,a n } be the 
final leaves of T. Since the formulae in each premise are always subformulae 
of the conclusion, we have that LHS(a J ) U RHS(a 1 ) C s/(T) U sf(A) for all 
1 < j < n. 
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5.3 Model Graphs and Satisfiability Lemma 



We shall use model graphs as an intermediate structure between GBilnt-trees 
and Bilnt models. 

Definition 25. A model graph for a sequent r h A is a finite Bilnt frame 
(W, TZ) such that all w G W are saturated sequents r w h A w and all of the 
following hold: 

1. r C r WQ and A C A Wo for some wq G W, where wo = r wo h A Wo ; 

2. if (p — > -0 G £/ien 3w G W wi£/i w7?.u and ip E T v and ip G A„; 
5. if <r/> G i^u, t/ien 3w G W tuzi/i vlZw and <p £ T v and tp G A v ; 
4- if wlZv and ip — > -0 G i - ^ £/ien ip £ T v or if G 

5. i/ u7?.u> and <p — < G A w then ip £ T v or ip G ; 
tf. i/ wlZv and ip £ T w then ip G r v ; 
7. if vTZw and ip G A w then ip G A v . 

We now show that given a model graph, we can use it to construct a Bilnt 
model. 

Lemma 12. If there exists a model graph (W, TV) for r h A, then there exists 
a Bilnt model M. — (W, TZ, 1?) such that for some wq G W, we have wq N -T and 
wo =| ^- We call M the counter-model for r\h BUnt A. 

Proof. Since we already have a Bilnt frame (W, 7?.}, we need to define a valua- 
tion ■& in order to construct a Bilnt model M = (W, TZ, 

1. For every world w G W and every atom p G i"^, let i9(tu,p) = true. 

2. For every world w G W and every atom q G /A™, let d(w, q) — false. 

Then properties 6 and 7 of Definition 25 ensure persistence and reverse per- 
sistence respectively. 

We now need to show that for every world w G W, we have w \= T w and 
w =| Z\„, ; we can do this by simple induction on the length of the formulae in 

r\- w A. 

Now let wq be the world in the model graph such that r C r wg and A C ^ . 
Since our proof by induction has shown that for every world w G W, we have 
w \= r w and w =| Am, then in particular, we have that w$ N r wa and wo =| A Wo . 
Then, since we have that r C J 1 ^ and A C Zi„, , we also have wo 1= ^ and 

Wq =\ A 



5.4 Main Completeness Proof 

We now show how to construct a model graph for r h A from a consistent I 1 h A. 
Recall from Remark 2 that we need to keep a number of independent versions of 
worlds because of the choices arising due to disjunctive non-determinism. We do 
this by storing one or more independent connected-components (Wi , TZ\ } , • ■ • , (W, 
in the constructed model graph (W,TZ), and the indices (sorts) of worlds and 
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Procedure MGC 

Input: sequent r h A 

Output: model graph (14^,7?/), variables and V* 

1. Let £ = {qi, • • • , a„} be the result of saturating F \- A using Lemma 11; 

2. For each a; £ £ do 

(a) Let (Wi,lZi) = ({oti}, {(a;,a;)}); let recompute := false; 

(b) For each non-blocked (p ip £ A ai and while recompute = /oZse do 

i. Apply (— »h) to <p — ► V an d obtain a left premise tti = r ai , ip\- tp; 

ii. Let (W,TZ),S,V := MGC{m); 

iii. If 3i7j € P.iT, C Z\ ai then 

A. Let Uj G Wj be the root of the connected component Wj from W; 

B. Let G = (Wj,^)^' := i]; add G to (Wi,Tli), and put mTliUi. 

iv. else 

A. Let {Wi,TZi) — (e, e); let recompute := frtte; 

B. Invoke the right premise of (— ►«) to obtain 7T2 = -To,; h 4 a4 , f\V; 

C. Apply (Ajj) to 7T2 to obtain m > 1 non-derivable premises 71, • • • ,7, 

D. For each y k , 1 < fc < m, let (W fc , ^ fc >, S k , V k := MGC^k); 

E. Let (W„K,) := (U>V fc ,U^fc), and S t := lJ5 7fc and P t := (JV lk ; 

(c) For each non-blocked ip — < ?/> G r ai and while recompute = false do 

i. Perform a symmetric procedure to Steps 2(b)i to 2(b)ivE. 

(d) If recompute — false then let Si := {-T ai } and Pi := {A ai }. 

3. Return (UWi,UWi),U<Si.U^ 

Fig. 4. Model Graph Construction Procedure 



relations tell us the connected-component of the graph to which they belong. We 
write (Wj,lZj){j := i] to relabel the connected component (Wj,1Zj) with sort 
j to a connected component (Wi,TZi) with sort i. Similarly, we also label each 
member of the variables V and S, so we can later extract the member with sort 
i, corresponding to the component of (W, 7V) with sort i. We write 7?.-neighbour 
to mean 7?.-predecessor or ^-successor. 

Our algorithm in Fig. 4 starts by saturating the root world to obtain one 
or more saturated "states". For each "state" ctij, it recursively creates all the 
7£-neighbours and saturates them, and so on. If during the construction of any 
^-neighbour, new information is returned from the higher sequents (Step 2(b)iv), 
then we delete the entire subtree (connected component of sort i) rooted at a*, 
and recreate atj using the new information (Step 2(b)ivB). This re-creates all the 
1Z- neighbours of on . Otherwise, if none of the 1Z- neighbours of a>i return any new 
information, or there are no 1Z- neighbours for aj, then Step 2d instantiates the 
variables and returns from the recursion. In the latter case, the "state" ai already 
has all the required information it can possibly receive from any ^-neighbours, 
thus on is final. Note the duality: new information from a single 7?.-neighbour 
means that all of the members of a variable were new, while new information at 
a "state" on means that some 7?.-neighbour returned new information. 
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When we return from MGC, we form the union of the components of the 
model graph and the variables from the different "states" , so that the caller of 
MGC can extract the appropriate component at Step 2(b)iiiA. 

Remark 3. Note that while the counter-model construction procedure keeps the 
whole counter-model in memory, this procedure is only used to prove the com- 
pleteness of GBilnt. Our procedure for checking the validity of Bilnt formulae 
(Fig. 3) does not need the whole counter-model, and explores one branch at a 
time, as is usual for sequent/tableaux calculi. 

Theorem 3 (Completeness). GBilnt is complete: if T h A is not derivable, 
then there exists a counter-model for Fll - A. 

•I Bilnt 

Proof. Suppose T h A is not derivable, then by Corollary 4 we have that r \- A 
is consistent. We construct a model graph for T h A using the procedure given 
in Figure 4, and obtain (VW ,72/). We let (W,1Z) be any connected component 
of (W f ,K f ). We now show that (W, TZ) satisfies the properties of a model graph 
from Definition 25: 

1. r C r wo and A C A wo for some w £ W: This holds because w is one 
of the saturated sequents obtained from T h A. Moreover, if we delete the 
original wq at Step 2(b)ivA, a final version of wq is created at Step 2(b)iiiB 
which is never deleted. 

2. if ip — > V € ^u> then 3d G W with toTfr; and <p E T v and i/j £ A v : This 
holds because we have either created v using (— >k) at Step 2(b)iiiB, or had 
w fulfill the role of this successor by reflexivity if (— >#) was blocked. 

3. if ip~ < V € r w then there exists some v £ W with i>7£u> and ip £ T v and 

By symmetry with property 2. 

4. if w7?.w and ip — > -0 G J^, then £ T v or ip £ A v : In our construction, there 
are three ways of obtaining w7?.w, so we need to show that for each case, the 
property holds. We first show that (f —> tp £ T v : 

(a) v was created by applying (— >#) to w on some a —> (3 G Then i^, 
also contains <p — > V- 

(b) w was created by applying (— <l) to some a— </3 G -T^. Then, when the 
final version of T^ was created, p ^ ip £ T w was added to the S variable 
at Step 2d. There are two cases: 

— The right premise TT2 of (— <l) was invoked at v. Then S was added 
to 7r 2 at v by the symmetric process to Step 2(b)ivB. Thus the up- 
dated r v also contains <p — > ip. 

— The right premise of (— <jf) was not invoked at v. This means that 
3Sj G S.Ej C 7^, and the j-th version of u's predecessor w is chosen 
at the symmetric process to Step 2(b)iiiA. But since Step 2d at w 
assigns Sj := T w , then we have r w C r v and thus ip ^ ip £ T v . 

(c) w = w, and wlZw by reflexivity. Then r v = r w , so — ► ip £ r v . 
In all cases, saturation for v will then ensure that tp £ T v or <p £ A v . 
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5. if vlZw and ip — <ip £ A w then ip £ r v or ip £ A v : 
By symmetry with property 4. 

6. if wlZv and ip £ r w then ip £ T v : 
By similar argument to property 4. 

7. if v72w and ip £ A w then 93 £ A v : 
By symmetry with property 6. 

We can obtain a counter-model for r\\- B1Iit A from (W, 72.) via Lemma 12. 

Definition 26. A di-tree is a directed graph such that if the direction of the 
edges is ignored, it is a tree. 

Theorem 4. Every falsifiable Bilnt sequent can be falsified by a model whose 
frame is a di-tree, consisting of reflexive points. 

Proof. From Lemmas 5 and 6, we know that the construction of new successors 
for ip — > ip and predecessors for ip—<ip stops when either there are no rejected 
ip — > ^-formulae or forced <p — < ip- formulae in the current world, or the current 
world already forces <p and rejects ip. In the latter case, the world itself fulfills 
the role of the successor or predecessor by reflexivity, and no new successors or 
predecessors are created. 

The reason we are able to avoid proper cycles is the persistence and reverse 
persistence properties of Bilnt, used in the (— and (— <£) rules. 

Consider the — ► case. Every time some tp — ► ip appears on the RHS of a 
sequent r h A, <p — > tp, we first add ip to the RHS to obtain r h A,<p — > ip,ip 
using the (—* I R ) rule, since by reverse persistence the current world must reject 
everything that some successor world rejects. Now that ip is on the RHS, we 
need to apply the (— rule to create the <p — > ^-successor r, ip h ip only if ip is 
not already on the LHS. For if <p £ LHS, then the successor r h ip that fulfills 
<p — ► ip can be the current world itself. So there is no point creating it explicitly. 

Corollary 5. Bilnt is characterised by finite rooted reflexive and transitive di- 
trees of reflexive points. 

6 Conclusions and Future Work 

Our cut-free calculus for Bilnt enjoys terminating backward proof-search and 
is sound and complete w.r.t Kripke semantics. A simple Java implementation 
of GBilnt is available at http : //users . rsise . anu . edu . au/~linda. The next 
step is to add a cut rule to GBilnt, and prove cut elimination syntactically. 
We are also extending our work to the modal logic S5, and the tense logic 
Kt.S4. Our approach of existential branching and inter-premise communication 
bears some similarities to hypersequents of Pottingcr and Avron [1]. It would 
be interesting to investigate this correspondence further. From an automated 
deduction perspective, GBilnt is the first step towards an efficient decision 
procedure for Bilnt. The next task is to analyse the computational complexity 
of GBilnt and investigate which of the traditional optimisations for tableaux 
systems are still applicable in the intuitionistic case. 

We would like to thank the anonymous reviewers for their suggestions. 
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